I n a cloud computing model, where users have access to cloud-based services from any terminal device that has access to the Internet, the role of network access control is significantly reduced. T he reason is that the standard network access control is focused on protecting resources against unauthorized access based on the attributes of the terminal devices, which in most cases are defective, are not unique for different users and may cause incorrect evaluation. I
n cloud computing, network access control policy is manifested in the form of cloud firewalls. In contrast to the network access control, user access control should be given greater attention in cloud computing as it relates to the identification of the user to access resources in the clouds. U ser access control includes strict authorization, single sign-on technology (SSO), privilege management, recording and monitoring of cloud computing resources, playing a significant role in protecting the confidentiality and integrity of information in the cloud computing (Meghanathan, 2013).In SaaS delivery model, CSP (cryptoprovider) is responsible for managing all aspects of the network infrastructure, servers and applications. I n such a model, where the application is delivered as a service to end users, usually via web-browser, network oriented control systems are becoming less relevant and are replaced with the use access control, for example, one-time passwords are used for authorization. T
hus, we should pay attention to the user access control (authentication, association, privilege management, deinitialization, etc.) to protect the information stored in SaaS. F or example, access control in Salesforce.com is organized through a set of filters, which at first seem simple, but this impression is deceptive. Each of the filters can be applied to groups or classes of user accounts.
1.The rights of users class to view a table, an object, or functional area are defined with profiles.
2. The rights of users class to view a table column (object attribute) are defined with profiles.
3. The rights of users class to view the record (row or instance) are defined with roles.
4. Types of records determine what profiles are allowed to view individual cells within the record, and can be used to restrict access to almost any function or object class. These filters have modifiers that allow delegating rights and extending the area of access to privileged users. H owever, for most users, the opportunities provided by the filtering mechanism are quite enough. S ometimes it even makes them discontent. B locking and filtering can be implemented in the context of the current state and depending on the specific needs of the business.
T hus, the system allows you to set exceptions in defining the data sharing schema at both the individual and group level. In PaaSmodel, CSP is responsible for managing control of the access to network infrastructure, servers and platform applications (Meghanathan, 2013). H owever, customers are responsible for access control of applications deployed on PaaS platform. A pplication access control manifests as end-user access control, which includes backuping and user authentication. In IsaS model of delivery, customers are fully responsible for the management of all aspects of control access to their resources on the cloud. A ccess to virtual servers, virtual networks, virtual storage, and applications that are hosted on IsaS platform should be designed and organized by customers. In the IsaS delivery model access control management is divided into 2 types: Access control at the infrastructure level of CSP (control management of access to the network, hosting and management of applications, which are owned and controlled by the CSP);Access control at the level of the virtual client (control management of access to your virtual server (virtual machine or VM), virtual storage, virtual networks and applications hosted on virtual servers).Taking into account the following aspects in the management of access control of infrastructure in the cloud, we as a rule, consider: network access control, virtual control of access to the server, the cloud control station and web-console.Access control is the most important function of safety management in such cloud models as SPI (SaaS, PaaS, IaaS) and the standard model of cloud deployment (public, private and hybrid).
A ccess control is an important aspect for information protection in information systems that are based on cloud computing and can be a primary mean of security management in the absence of encryption and other data management tools. At the moment, access control capabilities offered by CPS, are not sufficient for corporate clients for several reasons: access control mechanisms, standards and processes are not standardized by the CSP. I n order to effectively control access to the virtual cloud infrastructure customers need to do more to understand the CSP access control parameters and their settings;lack of unified standardization makes access control very difficult for several clouds. F
or example, support for SAML is not carried out from any of the major CSP;control over user access to the resources of the cloud is implemented at a low level. A ccess control from the CSP usually maintains control at the network level, except for control user access. U ser access issues are related to authentication.
I n my opinion, we should offer a flexible access control based on the principles of least privilege and separation of duties (e.g., the console-manager, network access, host-manager).From the perspective of corporate users access control is the basic process of security assurance to protect the confidentiality, integrity and availability of information located in the cloud. R eliable access control program should include backuping, deinitializationtime, flexible authentication, privilege management, resource accounting, auditing, and support of appropriate management.
Cloud clients must understand CSP-specific features of access control for networks, systems and applications.
5.4. ConclusionsAuthentication and authorization tools are classified as classical means which allow controlling access and information security, both in business and in the global communication networks. V ery often traditional methods of data protection are focused on building a centralized network and security perimeter with the help of such tools as firewalls and intrusion detection systems. T his approach does not provide sufficient protection against such attacks as APT (advanced persistent threat), which are characterized by the fact that the hacker (usually a group of hackers) masks his activity on the target host for the daily operations, in connection with which they are difficult to detect. Many companies have also introduced database audit, control of access to the directory (DAP — Directory Access Protocol) and system for the analysis of incoming information from third-party systems (SIEM — Security Information and Event Management) to collect information about the operation and processes, but events monitoring and correlation by themselves do not provide information security. It is very important to provide comprehensive protection, which should primarily include a system of early warning of the onset of attack, display of suspicious incoming requests and detailed continuous incoming data analytics etc.
A lso it is necessary to provide data encryption, but it is important not to lose sight of weaknesses: the encryption keys, access control, and monitoring and data access. I f encryption keys are not adequately protected, they are vulnerable to theft, if the keys are well protected, but the access control is not reliable enough, it is possible to gain access to sensitive data, «posing» as authorized user. Encryption should be implemented on the basis of robust key solutions on access management to provide guaranteed keys protection.
E ncryption works in conjunction with other data protection technologies and provides additional information about security for the construction of a comprehensive multi-layered approach to the protection and confidentiality of data, in order to reduce the risks of hacking in the cloud and beyond. For authentication the following decisionscan be used: Table. S olutions for authenticationSolutionsAuthentication methodDescriptionLAN Manager (LM), NT LAN Manager (NTLM), NT LAN Manager version 2, Kerberos, RADIUSAuthentication with reusable passwordsUser accounts include the user ID or username and password. T
o make a login the user enters his username and password, which enter the authentication service. A ccording to the results of this pair comparison with account reference value, the user becomes authorized. SecurID, ActivCard Token, ΠΊΠΎΠΌΠ±ΠΈΠ½ΠΈΡΠΎΠ²Π°Π½Π½ΡΠΉ USB-ΠΊΠ»ΡΡ Aladdin eToken NG-OTPSafewordAuthentication based on one-time passwordsFor remote access to resources reliable systems using one-time passwordshave been developed. S ystem based on one-time passwords uses different passwords for each new request for access (Paterson, 2009). A
one-time password is valid for only one login. SSLAuthentication with digital certificateThe authentication server sends a request packet to the user, and the client software to generate the response generates a digital signature to the request from the authentication server using the user’s private key. The process of identity proof consists of the following stages:
1. receiving the public key (single process)2. obtaining user’s public key certificate via some insecure channel. Thus, an effective solution on the information security of cloud infrastructure should include:
1. Closed access to the data. It is necessary to provide reliable management of cryptographic keys.
2. Access Policies. Only authorized users should have access to confidential information.
3. Intelligent system. The system should collect information to analyze user behavior and to notify in case of suspicious activity. Ensuring information security in the cloud is not a trivial task; however, with the appropriate approach you get the perfect balance of all the benefits of the cloud model and a high level of protection, security and availability of your data and information systems. This chapter contains the description of the main problems encountered in the implementation of access control systems, as well as their solution. In addition, we have considered data encryption protocol SSL, the problems of its use in the cloud infrastructure and have analyzed the ways of their solution.
